Skip to content

chore(deps): bump axios from 1.13.5 to 1.15.0 in /libs/vscode-extension#9063

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/libs/vscode-extension/axios-1.15.0
Open

chore(deps): bump axios from 1.13.5 to 1.15.0 in /libs/vscode-extension#9063
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/libs/vscode-extension/axios-1.15.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 15, 2026

Bumps axios from 1.13.5 to 1.15.0.

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

  • Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

  • Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
  • Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

  • Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

  • CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
  • Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
  • Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
  • Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
  • Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

  • Breaking Changes: None identified in this release.
  • Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

  • Runtime Features: No new end-user features were introduced in this release.
  • Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

  • Headers: Trim trailing CRLF in normalised header values. (#7456)
  • HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
  • Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
  • Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

  • Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

  • SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

  • Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

  • Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

  • CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

  • Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

  • Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.14.0 — March 27, 2026

This release fixes a security vulnerability in the formidable dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.

🔒 Security Fixes

  • Formidable Vulnerability: Upgraded formidable from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (#7533)

🐛 Bug Fixes

... (truncated)

Commits
  • 772a4e5 chore(release): prepare release 1.15.0 (#10671)
  • 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
  • 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
  • fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
  • 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
  • 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
  • e66530e ci: require npm-publish environment for releases (#10666)
  • 49f23cb chore(sponsor): update sponsor block (#10668)
  • 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
  • fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump axios from 1.13.5 to 1.15.0 in /libs/vscode-extension
7408533 
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.5...v1.15.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 15, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026
edited
Loading

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump axios from 1.13.5 to 1.15.0 in /libs/vscode-extension
  • Issue: None — title is clear, follows conventional commit style, and identifies the dependency and location.
  • Recommendation: Keep as-is. Good job including the package upgraded and target folder.

Commit Type

  • The PR body does not follow the required template and therefore does not include the "Commit Type" checkbox section.
  • Note: From the title this is a chore (dependency bump), which is correct.
  • Recommendation: Update the PR body to include the PR template and mark the chore checkbox under "Commit Type" so reviewers can quickly validate scope.

Risk Level

  • The PR is missing a risk-level selection in the PR body and there is no repository label like risk:low / risk:medium / risk:high present on the PR.
  • Assessment: Based on the code diff this is a dependency bump of axios in libs/vscode-extension (package.json only, 1 line change). Axios 1.15.0 contains security fixes (SSRF and header-injection fixes) and other runtime/behavior changes (headers with CR/LF now throw, proxy/no_proxy normalization improvements). While these are security improvements, they can alter runtime behavior (for example, code that previously passed header values containing CR/LF would now error). Because of that potential for behavior change in callers, the advised risk level is: risk:medium.
  • Recommendation: Add a risk:medium label to this PR and fill the PR template's Risk Level with Medium. If you have reviewed the codebase and can guarantee axios is only used in ways that won't hit the changed behavior (or you have tests to show it), you can justify Low, but please document that reasoning in the PR body.

What & Why

  • Current: The PR body contains the Dependabot auto-generated release notes for axios (very long), not a concise "What & Why" section following the repo template. (Missing concise What & Why section.)
  • Issue: Reviewers expect a short summary in the PR body that states exactly what the change is and why it is being made. The full release notes are useful, but a 1-2 sentence summary is required for quick triage.
  • Recommendation: Add a brief "What & Why" section such as:
    • "What: Bump axios from 1.13.5 to 1.15.0 in libs/vscode-extension/package.json."
    • "Why: Includes security fixes for header injection and SSRF and other maintenance updates — we should upgrade to pick up these fixes."

Impact of Change

  • Issue: The PR body does not include the required "Impact of Change" section.
  • Recommendation: Add the Impact of Change section (brief bullets). Example content to paste into the PR body:
    • Users: No direct user-facing UI changes. Potential for changed network behavior if extension code relied on previous axios permissive header handling; please validate extension features that make external HTTP requests.
    • Developers: Upgrade may cause runtime errors if code passed header values containing CR or LF; review any in-repo axios usage and update if necessary.
    • System: No infra or architecture changes; ensure CI passes and verify the VSCode extension build + runtime tests.

Test Plan

  • Assessment: The code diff only changes libs/vscode-extension/package.json (1 addition, 1 deletion). There are no unit tests or E2E tests added in this PR and the PR body does not include a Test Plan following the template.
  • Issue: For dependency upgrades that include security fixes and potential behavior changes, we require a Test Plan in the PR body confirming what was validated.
  • Recommendation: Update the PR body Test Plan. At minimum include:
    • Run the repository unit test suite and paste results / indicate CI status.
    • Confirm the VSCode extension build and run a smoke test of any features that make HTTP requests (list which features were exercised).
    • If there are no code paths that could be affected, document why (e.g., "axios is only used for telemetry in a safe manner and we validated logs contain no CR/LF headers").

If you cannot add automated tests in this PR, provide a short explicit manual test checklist and results (what you ran, on what platform/node version) so reviewers can accept the change.

⚠️ Contributors

  • Assessment: PR body has no "Contributors" section (Dependabot PRs rarely do). This is optional.
  • Recommendation: Not required to block merge, but consider adding a short acknowledgement if other team members reviewed or assisted.

⚠️ Screenshots/Videos

  • Assessment: Not applicable for this change (non-visual). No action needed.
  • Recommendation: Leave blank.

Summary Table

Section Status Recommendation
Title Title is clear and follows convention.
Commit Type Update PR body to use template and mark chore
Risk Level Add risk:medium label and select Medium in PR body; document justification
What & Why Add concise 1-2 sentence "What & Why" section as suggested
Impact of Change Add bullets for Users/Developers/System as suggested
Test Plan Add unit/CI results or manual test checklist validating HTTP behavior and extension runtime
Contributors ⚠️ Optional: add if others contributed/reviewed
Screenshots/Videos ⚠️ Not applicable

Next steps (recommended quick checklist)

  1. Update the PR body to use the repository PR template.
  2. In that template:
    • Mark Commit Type -> chore.
    • Select Risk Level -> Medium and add the risk:medium label to the PR.
    • Add a concise "What & Why" summary (suggested wording included above).
    • Add the "Impact of Change" bullet points tailored to your repo.
    • Add a Test Plan: run unit tests, run extension smoke tests, and paste brief results or a short manual test checklist and results.
  3. Verify CI (unit tests & build) passes. If CI is green and you have the manual verification recorded in the PR body, maintainers can more confidently merge.

If you update the PR body with these changes and paste CI/test outputs, I will re-evaluate and update the pass/fail status. Thank you for keeping dependencies up to date — this bump contains important security fixes and should be applied after the validation steps above.

Last updated: Wed, 15 Apr 2026 23:30:00 GMT

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

📊 Coverage check completed. See workflow run for details.

This was referenced Apr 16, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code needs-pr-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants